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IN THE CLAIMS 

This listing of claims will replace all prior versions and listings of claims in the 
Application: 

LISTING OF CLAIMS: 
1 - 2. (Cancelled) 

3. (Currently amended) The syst e m proxy server according to claim 4-r25, 
wherein said cont e nt data file includes static content. 

4. (Currently amended) The syst e m proxy server according to claim 4-r25, 
wherein said cont e nt data file includes dynamic content. 

5. (Currently amended) The syst e m proxy server according to claim 4-r25, 
wherein said commun i cat i on m e ans i nc l ud e s a s e cur e transform conf i gur e d to 
e ncrypt and e ncapsu l at e e ncapsu l at i ng sa i d cont e nt i nto a m e ssag e encrypting 
said received data block is performed as a function of a shared session ID-secret 
shared between said proxy server and said client machine i s conf i gur e d to e xtract 
sa i d cont e nt from sa i d m e ssag e. 

6. (Currently amended) The syst e m proxy server according to claim 4-^25, 
wherein said proxy syst e m server f urther includes a user interface, configured to 
facilitate creation and editing of said access po li c ie s and sa i d usag e po li c ie s 
policy and association of said access po li c i es and sa i d usage po li c i es policy w ith 
said cont e nt data file . 



7-10. (Cancelled) 
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1 1 . (Currently amended) The method of claim 9^ -20, wherein said cont e nt data 
file includes static content. 

12. (Currently amended) The method of claim 9 t20, wherein said cont e nt data 
file includes dynamic content. 

13. (Currently amended) The method of claim Qr -20, wherein said commun i cat i ng 
i s accomp li sh e d us i ng a commun i cat i on m e ans that i nc l ud e s a s e cur e transform, 
i nc l ud i ng e ncrypt i ng and e ncapsu l at i ng sa i d cont e nt i nto a m e ssag e encrypting 
said received data block is performed as a function of a shared session I D and 
sa i d c lie nt d e v i c e i s conf i gur e d to e xtract sa i d cont e nt from sa i d m e ssag e secret 
shared between said proxy server and said client machine . 

14. (Currently amended) The method of claim 9^ -20, wherein said proxy syst e m 
furth e r server includes a user interface and st e p A i nc l ud e the method further 
includes creating and/or editing said access po li c i es and sa i d usage po li c i es 
policy and associating said access po li c i es and sa i d usage po li c i es policy with 
said cont e nt data file using said user interface. 

15-16. (Cancelled) 

17. (Currently amended) The syst e m proxy server according to claim 4^25: 

wherein th e acc e ss contro l modu le i s furth e r conf i gur e d to e ncrypt each 
data block of the cont e nt data file is encrypted independently, using a unique 
initialization vector for each data block and one or more encryption/decryption 
keys; and 

wherein the on e or mor e commun i cat i on m e ans a l so prov i d e th e one or 
more encryption/decryption keys are also provided to said client d e v i c e machine . 



18. (Cancelled) 
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19. (Currently amended) The method of claim 9-20 wherein the method further 
comprises: 

encrypting each data block of the cont e nt data file independently, using a 
unique initialization vector for each data block and one or more 
encryption/decryption keys; and 

communicating said one or more encryption/decryption keys to said client 
d e v i c e assoc i at e d w i th sa i d on e or mor e us e r and/or c lie nt d e v i c e 

20. (Previously Presented) A method performed by a proxy server, the method 
comprising: 

receiving, over a first network connection, a Network File System (NFS) 
based request from a client machine for a data block of a data file from a remote 
network attached storage system, the request having an associated user, the 
data block having a fixed preconfigured size associated with the data file; 

requesting, from an authentication server, an access policy associated 
with the associated user; 

receiving, from the authentication server, the access policy associated 
with the associated user; 

determining, from the access policy associated with the associated user 
and metadata associated with the data file, the metadata being stored on the 
remote network attached storage system, if the associated user has the authority 
to access the data file; and 

if the associated user has the authority to access the data file, then: 
establishing a set of usage rights based on the access policy 

associated with the associated user and the metadata associated with the 

data file; 

requesting, over a second network connection, from the network 
attached storage system, the data block of the data file; 
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receiving, over the second network connection, from the network 
attached storage system, the data block of the data file; 

encrypting the received data block, such that only an authorized 
client module executing on the client machine by the associated user can 
decrypt the encrypted received data block; 

encapsulating within a packet: 

the encrypted received data block; and 
the established set of usage rights; and 

sending, over a secure channel, the packet to the client machine 
such that only the authorized client module can access the encrypted 
received data block and only when such access is in accordance with the 
established set of usage rights, said authorized client module running 
transparently to the associated user, logically interposed between an 
application layer and an operating system kernel layer. 

21 . (Previously Presented) A method as in claim 20 wherein the established set 
of usage rights includes one or more access restrictions, each usage restriction 
including: 

a restriction type; and 

a set of parameters associated with the restriction type. 

22. (Previously Presented) A method as in claim 21 wherein the restriction type 
indicates that data from the encrypted received data block may only be e-mailed 
to recipients listed within the set of parameters. 

23. (Previously Presented) A method as in claim 20 wherein the access policy 
associated with the associated user includes a set of access conditions, each 
access condition including: 

a condition type; and 

a set of parameters associated with the condition type. 
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24. (Currently amended) A method as in claim 23 wherein the condition type 
indicates that the associated user only has the authority to access the data file 
when tbe-a_clock time falls between a first value listed in a first parameter of the 
set of parameters and a second value listed in a second parameter of the set of 
parameters. 

25. (New) A proxy server, comprising: 

processing circuitry; and 
network communications circuitry; 

the processing circuitry and network communications circuitry being 
operative together to perform a method including: 

receiving, over a first network connection, a Network File System 
(NFS) based request from a client machine for a data block of a data file 
from a remote network attached storage system, the request having an 
associated user, the data block having a fixed preconfigured size 
associated with the data file; 

requesting, from an authentication server, an access policy 
associated with the associated user; 

receiving, from the authentication server, the access policy 
associated with the associated user; 

determining, from the access policy associated with the associated 
user and metadata associated with the data file, the metadata being 
stored on the remote network attached storage system, if the associated 
user has the authority to access the data file; and 

if the associated user has the authority to access the data file, then: 

establishing a set of usage rights based on the access policy 
associated with the associated user and the metadata associated with the 
data file; 
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requesting, over a second network connection, from the network 
attached storage system, the data block of the data file; 

receiving, over the second network connection, from the network 
attached storage system, the data block of the data file; 

encrypting the received data block, such that only an authorized 
client module executing on the client machine by the associated user can 
decrypt the encrypted received data block; 

encapsulating within a packet: 

the encrypted received data block; and 
the established set of usage rights; and 

sending, over a secure channel, the packet to the client machine 
such that only the authorized client module can access the encrypted 
received data block and only when such access is in accordance with the 
established set of usage rights, said authorized client module running 
transparently to the associated user, logically interposed between an 
application layer and an operating system kernel layer. 

26. (New) A proxy server as in claim 25 wherein the established set of usage 
rights includes one or more access restrictions, each usage restriction including: 

a restriction type; and 

a set of parameters associated with the restriction type. 

27. (New) A proxy server as in claim 26 wherein the restriction type indicates that 
data from the encrypted received data block may only be e-mailed to recipients 
listed within the set of parameters. 

28. (New) A proxy server as in claim 25 wherein the access policy associated 
with the associated user includes a set of access conditions, each access 
condition including: 

a condition type; and 
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a set of parameters associated with the condition type. 

29. (New) A proxy server as in claim 28 wherein the condition type indicates that 
the associated user only has the authority to access the data file when a clock 
time falls between a first value listed in a first parameter of the set of parameters 
and a second value listed in a second parameter of the set of parameters. 



